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About  This  Document 


About  This  Document 


This  document  is  Volume  6  of  the  OCTAVE-S  Implementation  Guide,  a  10-volume  handbook 

supporting  the  OCTAVE-S  methodology.  This  volume  provides  worksheets  to  document 

data  related  to  critical  assets  that  are  categorized  as  people. 

The  volumes  in  this  handbook  are 

•  Volume  1:  Introduction  to  OCTAVE-S  -  This  volume  provides  a  basic  description  of 
OCTAVE-S  and  advice  on  how  to  use  the  guide. 

•  Volume  2:  Preparation  Guidelines  -  This  volume  contains  background  and  guidance  for 
preparing  to  conduct  an  OCTAVE-S  evaluation. 

•  Volume  3:  Method  Guidelines  -  This  volume  includes  detailed  guidance  for  each 
OCTAVE-S  activity. 

•  Volume  4:  Organizational  Information  Workbook  —  This  volume  provides  worksheets  for 
all  organizational-level  information  gathered  and  analyzed  during  OCTAVE-S. 

•  Volume  5:  Critical  Asset  Workbook  for  Information  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  information. 

•  Volume  6:  Critical  Asset  Workbook  for  Systems  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  systems. 

•  Volume  7:  Critical  Asset  Workbook  for  Applications  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  applications. 

•  Volume  8:  Critical  Asset  Workbook  for  People  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  people. 

•  Volume  9:  Strategy  and  Plan  Workbook  -  This  volume  provides  worksheets  to  record  the 
current  and  desired  protection  strategy  and  the  risk  mitigation  plans. 

•  Volume  10:  Example  Scenario  -  This  volume  includes  a  detailed  scenario  illustrating  a 
completed  set  of  worksheets. 
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Abstract 


Abstract 


The  Operationally  Critical  Threat,  Asset,  and  Vulnerability  EvaluationSM  (OCTAVE®) 
approach  defines  a  risk-based  strategic  assessment  and  planning  technique  for  security. 
OCTAVE  is  a  self-directed  approach,  meaning  that  people  from  an  organization  assume 
responsibility  for  setting  the  organization’s  security  strategy.  OCTAVE-S  is  a  variation  of  the 
approach  tailored  to  the  limited  means  and  unique  constraints  typically  found  in  small 
organizations  (less  than  100  people).  OCTAVE-S  is  led  by  a  small,  interdisciplinary  team 
(three  to  five  people)  of  an  organization’s  personnel  who  gather  and  analyze  information, 
producing  a  protection  strategy  and  mitigation  plans  based  on  the  organization’s  unique 
operational  security  risks.  To  conduct  OCTAVE-S  effectively,  the  team  must  have  broad 
knowledge  of  the  organization’s  business  and  security  processes,  so  it  will  be  able  to  conduct 
all  activities  by  itself. 


CMU/SEI-2003-HB-003  Volume  8 


vii 


OCTAVE-S  V1.0 


Introduction 


1  introduction 


This  document  contains  the  Operationally  Critical  Threat,  Asset,  and  Vulnerability  EvaluationSM 
(OCTAVE®)-S  worksheets  related  to  critical  assets  that  are  people.  The  activities  related  to  these 
worksheets  are  focused  on  analyzing  a  critical  asset. 

Table  1  provides  a  brief  introduction  to  the  contents  of  this  workbook,  using  activity  step  numbers 
as  a  key.  For  more  details  about  how  to  complete  each  step,  refer  to  the  OCTAVE®-S  Method 
Guidelines,  which  can  be  found  in  Volume  3  of  the  OCTAVE9 -S  Implementation  Guide. 


Table  1:  Worksheets  Provided  in  This  Workbook 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  6 

Start  a  Critical  Asset  Information 
worksheet  for  each  critical  asset. 
Record  the  name  of  the  critical 
asset  on  its  Critical  Asset 
Information  worksheet . 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  7 

Record  your  rationale  for 
selecting  each  critical  asset  on 
that  asset’s  Critical  Asset 
Information  worksheet. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  8 

Record  a  description  for  each 
critical  asset  on  that  asset’s 

Critical  Asset  Selection 
worksheet.  Consider  who  uses 
each  critical  asset  as  well  as  who 
is  responsible  for  it. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  9 

Record  assets  that  are  related  to 
each  critical  asset  on  that  asset’s 
Critical  Asset  Information 
worksheet.  Refer  to  the  Asset 
Identification  worksheet  to 
determine  which  assets  are  related 
to  each  critical  asset. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2. 1  Select  Critical  Assets 

5-8 

SM  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation  is  a  service  mark  of  Carnegie  Mellon 
University. 

®  OCTAVE  is  registered  in  the  United  States  Patent  and  Trademark  Office  by  Carnegie  Mellon 
University. 
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Table  1 :  Worksheets  Provided  in  This  Workbook  (cont.) 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  26 

Transfer  the  stoplight  status  for 
each  security  practice  area  from 
the  Security  Practices  worksheet 
to  the  “Security  Practice  Areas” 
section  (Step  26)  of  each  critical 
asset’s  Risk  Profile  worksheet. 

Risk  Profile 

Security 

Practices 

Phase  3 

Process  S5 

S5.2  Select  Mitigation 
Approaches 

9-24 

Step  27 

Select  a  mitigation  approach 
(mitigate,  defer,  accept)  for  each 
active  risk. 

For  each  risk  that  you  decided  to 
mitigate,  circle  one  or  more 
security  practice  areas  for  which 
you  intend  to  implement 
mitigation  activities. 

Risk  Profile 

Phase  3 

Process  S5 

S5.2  Select  Mitigation 
Approaches 

9-24 
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2  Critical  Asset  Information  Worksheet  for 
People 


Phase  1 
Process  S2 
Activity  S2.1 


Step  6 

Start  a  Critical  Asset  Information  worksheet  for  each  critical  asset.  Record  the  name  of  the 
critical  asset  on  its  Critical  Asset  Information  worksheet. 

Step  7 

Record  your  rationale  for  selecting  each  critical  asset  on  that  asset’s  Critical  Asset 

Information  worksheet. 

Step  8 

Record  a  description  for  each  critical  asset  on  that  asset’s  Critical  Asset  Selection  worksheet. 
Consider  who  uses  each  critical  asset  as  well  as  who  is  responsible  for  it. 

Step  9 

Record  assets  that  are  related  to  each  critical  asset  on  that  asset’s  Critical  Asset  Information 
worksheet.  Refer  to  the  Asset  Identification  worksheet  to  determine  which  assets  are  related 
to  each  critical  asset. 

Phase  1 

Process  S2 

Activity  S2.2 

Step  10 

Record  the  security  requirements  for  each  critical  asset  on  that  asset  s  Critical  Asset 
Information  worksheet . 

. . . . — — . . — — - - - 1 

Step  11 

For  each  critical  asset,  record  the  most  important  security  requirement  on  that 
Critical  Asset  Information  worksheet. 

asset’s 
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Critical  Asset  Information  Worksheet 


Step  S 


Description 

What  special  skills  or  knowledge  are  provided  by  this  person(s)? 


Step  10 


Step  1 1 


Security  Requirements 


What  are  the  security  requirements  for  this  person(s)? 

(Hint:  Focus  on  what  the  security  requirements  should  be,  not  what  they  currently  are.) 


□  Availability  The  set  of  skills  provided  by_ 


must  be  available  when  needed. 


□  Other 


Most  Important  Security 
Requirement 


Which  security  requirement 
is  most  important  for  this 
person(s)? 


□  Availability 

□  Other 
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Risk  Profile  Worksheet  for  People:  Other 


3  Risk  Profile  Worksheet  for  People  -  Other 
Problems 


Step  12 

Complete  the  threat  tree  for  other  problems.  Mark  each  branch  of  each  tree  for  which  there 
is  a  non-negligible  possibility  of  a  threat  to  the  asset. 

If  you  have  difficulty  interpreting  a  threat  on  the  threat  tree,  review  the  description  and 
examples  of  that  threat  in  the  Threat  Translation  Guide  (see  pp.  26-30  of  this  workbook). 

Step  15 


Record  how  often  each  threat  has  occurred  in  the  past.  Also  record  how  accurate  you  believe 
your  data  are. 


Step  16 


Record  areas  of  concern  for  each  source  of  threat  where  appropriate, 
scenario  defining  how  specific  threats  could  affect  the  critical  asset. 


An  area  of  concern  is  a 


continued 
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Risk  Profile  Worksheet  for  People:  Other 
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Mitigate 


Risk  Profile  Worksheet  for  People:  Other 
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Risk  Profile  Worksheet  for  People:  Other 


Areas  of  Concern 
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Risk  Profile  Worksheet  for  People:  Other 
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Mitigate 


Risk  Profile  Worksheet  for  People:  Other 
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Risk  Profile  Worksheet  for  People:  Other 


Areas  of  Concern 
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4  Threat  Translation  Guide 


Threat 

Translation 

Guide 

The  Threat  Translation  Guide  describes  each  branch  of  an  asset-based  threat  tree.  If  you 
have  difficulty  understanding  the  types  of  threats  represented  by  a  branch,  you  can  use  this 
guide  to  decipher  the  meaning  of  that  branch. 

You  will  find  asset-based  threat  trees  for  the  following  sources  of  threat: 


_ _ _ 

Source  of  Threat 

Page 

Other  problems 

26-30 
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Threat  Translation  Guide 


Description 

Example* 

... 

1 

f 

j 

"■ 1  i 

1 

—  1 

... 

_  _ _  i 

— 

A  staff  member(s)  with  unique  knowledge  or  a  unique  skill 
takes  a  temporary  leave  of  absence  from  an  organization. 

The  organization  does  not  have  any  other  staff  members 
with  comparable  skills,  resulting  in  an  interruption  of  access 
to  the  unique  knowledge  or  skill. 

A  key  member  of  the  IT  group  in  a  small  organization  takes 
a  leave  of  absence  to  care  for  an  ill  family  member.  This 
member  of  the  IT  staff  is  responsible  for  maintaining  a 
legacy  order  entry  system.  No  other  staff  members  know 
how  to  maintain  the  system.  The  organization  has  a 
temporary  interruption  of  access  to  a  vital  skill  that  is 
important  to  its  business  operations. 

... 

— 

l . . — —— — - 

— 

... 

... 

— 

. . . . — . . . . . — - — i 

A  staff  member(s)  with  unique  knowledge  or  a  unique  skill 
leaves  an  organization  permanently.  The  organization  does 
not  have  any  other  staff  members  with  comparable  skills, 
resulting  in  an  interruption  of  access  to  the  unique 
knowledge  or  skill  until  a  replacement  if  hired. 

A  clerk  is  responsible  for  entering  data  into  a  database 
system.  The  clerk,  who  is  currently  the  only  one  at  the 
company  who  understands  how  to  use  the  system, 
unexpectedly  leaves  for  a  better  position  at  another 
company.  The  organization  no  longer  has  access  to  a  skill 
that  is  important  to  its  business  operations  until  a 
replacement  is  hired  and  trained. 
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Threat  Translation  Guide 


Description  Example* 


A  service  provider  maintains  the  computing  infrastructure 
for  a  manufacturing  company.  A  shop  floor  scheduling 
system  is  physically  located  at  the  service  provider’s  site.  A 
disgruntled  staff  member  employed  by  the  service  provider 
plants  a  software  “time  bomb”  that  takes  down  the  service 
provider’s  networks  for  several  days.  The  manufacturing 
site’s  access  to  the  shop  floor  scheduling  system  is 
interrupted  until  the  service  provider  can  get  its 
infrastructure  running  again. 


An  organization  depends  on  a  third  party  for  a  particular 
service.  Any  threats  to  the  third  party  that  prevents  them 
from  fulfilling  their  obligations  results  in  an  interruption  of 
service  to  the  organization. 
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